Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

CS5038 The Electronic Society
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
VM: Chapter 5 Guiding Principles for Software Security.
Computer Security Workshops Security Introduction, Central Principles and Concepts.
Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Introducing Computer and Network Security
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.
CSC 569 Building Secure Software By Viega/McGraw Addison Wesley.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Computer Security and Penetration Testing
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Controls for Information Security
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
SEC835 Database and Web application security Information Security Architecture.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.
Honeypot and Intrusion Detection System
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
The ProactiveWatch Monitoring Service. Are These Problems For You? Your business gets disrupted when your IT environment has issues Your employee and.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
NETWORK SECURITY. TextBook William Stallings, Cryptography and Network Security: Principles and Practice, ? Edition.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
CHAPTER 15 Reporting Security Problems. INTRODUCTION There are two choices that can be made when you find a security problem in some software, hardware.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
RST Labs Sandboxing Mobile Code Execution Environments Timothy Hollebeek.
Security fundamentals Topic 9 Securing internet messaging.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Computer Security By Duncan Hall.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.
Some Great Open Source Intrusion Detection Systems (IDSs)
Chapter 21 Successfully Implementing The Information System.
CS457 Introduction to Information Security Systems
Secure Software Confidentiality Integrity Data Security Authentication
Firewalls.
Security in Networking
The Top 10 Reasons Why Federated Can’t Succeed
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Cybersecurity Threat Assessment
Test 3 review FTP & Cybersecurity
Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Computer Security is an important topic  E-commerce blossoms  Internet works its way every nook All lies a common enemy — bad software

Information Networking Security and Assurance Lab National Chung Cheng University It’s All about the Software Software no longer supports offices and home entertainment The biggest problem in computer security  It is the software! You may have the world’s best firewall, but… Malicious hackers not create security holes, they exploit them

Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Hackers  Originally positive meaning  Sprang from MIT during the late 1960s  People solving tricky problems through programming  Software engineer — MacGyver  Most people  Locksmiths are burglars?

Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Cracker  In the mid 1980s, hacker coined the term cracker  A cracker is someone who breaks software for nefarious ends

Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Attacker  Hacker, fuzzy feelings  Malicious hacker, attacker, or bad guy

Information Networking Security and Assurance Lab National Chung Cheng University Who is the Bad Guy? What hackers do?  If break into, they should notify the author of the software Bay guy  Little or no programming ability  Downloading, building and running programs  Hackers call it script kiddie  Who wrote the programs Hacker malicious intent full disclosure

Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Popular sources for vulnerability information  Bugtraq  CERT advisories  RISKS Digest

Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  Bugtraq administered by securityfocus.com An discussion list SNR on Bugtraq is low Full disclosure Encourage vendors to fix problems more quickly

Information Networking Security and Assurance Lab National Chung Cheng University

Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  CERT Advisories a federally funded research and development center Studies Internet security vulnerabilities Provides incident response services Publishes a variety of security alerts Not publicizing an attack until patched availabilities Only release advisories for significant problems

Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  RISKS Digest A mailing list Most Java security attacks first appeared here comp.risks

Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security Computer networks becoming ubiquitous  more systems to attack, more attacks, and greater risks from poor software security practice the size and complexity of information systems and their corresponding programs  C or C++ not protect against buffer overflow  improper configuration

Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security systems becoming extensible  hard to prevent malicious code from slipping in the plug-in architecture of Web browsers Word processors clients Spreadsheets

Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities What Is Security?  To enforcing a policy that describes rules for accessing resources  Well-defined policy

Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities Isn’t That Just Reliability?  Comparing reliability with security  Reliability problems considered DoS problems

Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad Vendors paid little attention to security Problems to the penetrate-and-patch approach  Developers can only patch problems that they know about. Attackers may find problems that they never report to developers.  Patches are rushed out as a result of market pressures on vendors, and often introduce new problems of their own to a system.  Patches often only fix the symptom of a problem, and do nothing to address the underlying cause.  Patches often go unapplied, as system administrators tend to be overworked, and often do not wish to make changes to a system that “works”. As we discussed above, system administrators are generally not security professionals.

Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad

Information Networking Security and Assurance Lab National Chung Cheng University On Art and Engineering Software engineering goes through … “Internet time phenomenon”  These days, Internet years rival dog years in shortness of duration.  Specification poorly written An implementation problem or a specification problem?

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention Traceability and Auditing Monitoring Privacy and Confidentiality Multilevel Security Anonymity Authentication Integrity

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention  An ounce of prevention worth a pound of punishment  Internet time: the enemy of software security Affects the propagation of attacks Zero day  Prevention more important than ever

Information Networking Security and Assurance Lab National Chung Cheng University Zero day

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Traceability and Auditing  No 100% security  The keys to recovering  For forensics  Detect, dissect, and demonstrate an attack Monitoring  Real-time auditing  IDS  Tripwires

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality  They are deeply intertwined  Three groups: individuals, business, and government  Lots of reasons for software to keep secrets and to ensure privacy  A program is running can pry out secret a piece of software may be trying to hide

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Multilevel Security  From unclassified -> Top Secret  Employees, business partners and others Anonymity  A double-edge sword  cookies

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality  Three groups: individuals, business, and government  Lots of reasons for software to keep secrets and to ensure privacy  A program is running can pry out secret a piece of software may be trying to hide

Information Networking Security and Assurance Lab National Chung Cheng University Authentication  Big three security goals  Who, when, and how  Nowadays, physical presence not enough  Authentication on the Web  SSL — to whom are you connected? Security Goals

Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Integrity  Staying the same?  Stock prices as a example

Information Networking Security and Assurance Lab National Chung Cheng University Software Project Goals Functionality  To solve a problem Usability  Affects reliability Efficiency  Security comes with significant overhead Time-to-market  Internet time happens Simplicity  Good for both software and security

Information Networking Security and Assurance Lab National Chung Cheng University Conclusion Computer security is a vast topic The root of most security problems is software